Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Table Of Contents
MANAGEENGINE DEVICEEXPERT - INTRODUCTION .......................................... 3 INSTALLATION & BASIC SETTINGS ...................................................................... 5 GETTING STARTED & WORKFLOW ..................................................................... 11
Adding Devices.................................................................................................................. 14 Discover Devices ............................................................................................................... 14 Manual Addition of Devices ............................................................................................... 15 Importing Devices from a Text file ..................................................................................... 16
DEVICE GROUPS ................................................................................................... 17 PROVIDING CREDENTIALS FOR DEVICES ......................................................... 19 BACKING UP DEVICE CONFIGURATION ............................................................. 26 VIEWING DEVICE CONFIGURATION DETAILS .................................................... 28 UPLOADING CONFIGURATION............................................................................. 34
Uploading Full Device Configuration ................................................................................. 34 To Upload Select Lines of Configuration to a Single Device ............................................. 34 To Upload Configuration Snippets..................................................................................... 35 Uploading Configuration to Multiple Devices ..................................................................... 35
REAL-TIME CONFIGURATION CHANGE DETECTION ........................................ 36 CONFIGURATION CHANGE MANAGEMENT ....................................................... 39 COMPLIANCE ......................................................................................................... 44 ROLE-BASED USER ACCESS CONTROL ............................................................ 51 AUTOMATION USING TEMPLATES & SCRIPTS .................................................. 55 AUDIT ...................................................................................................................... 59 REPORTS................................................................................................................ 61
AdventNet, Inc.
SEARCHING DEVICES & CONFIGURATION ........................................................ 68 ADMIN OPERATIONS............................................................................................. 71 DISASTER RECOVERY .......................................................................................... 78 TROUBLESHOOTING TIPS.................................................................................... 81
AdventNet, Inc.
Overview
Analysis by numerous IT experts have time and again revealed that the commonest cause for most Network outages is faulty configuration changes. In this age of the Internet, IT applications dominate almost all aspects of business enterprises. To cater to various business needs, network administrators carry out frequent configuration changes to network devices. Every single change to a network device configuration carries with it the risk of creating a network outage, security issues and even performance degradation. The problem becomes still more complex when there are multiple devices from multiple vendors and multiple administrators manage the network and carryout changes. Unplanned changes make the network vulnerable for unexpected outages. Besides, the network administrator is fraught with the challenge of keeping track of all the happenings in the network devices - who did what and when. In mission critical environments, network downtime, even for a few minutes, might prove to be costly. When a configuration error occurs in the network, it becomes a cumbersome task to identify the exact cause and initiate corrective action. Network administrators indeed face a daunting task when it comes to effectively doing the Network Change and Configuration Management! DeviceExpert - a simple and elegant solution ManageEngine DeviceExpert offers a simple, comprehensive and elegant solution for easy Network Change and Configuration Management (NCCM). It offers multivendor network device configuration, continuous monitoring of configuration changes, notifications on respective changes, detailed operation audit and trails, easy and safe recovery to trusted configurations, automation of configuration tasks and insightful reporting. DeviceExpert can manage network devices such as switches, routers, firewalls, wireless access points, integrated access devices etc., from multiple vendors. It discovers network devices, builds up an inventory database and allows IT administrators to take control of configuring the devices from a central console. The web-based administrator console provides the User Interface to perform all the configuration operations. Additionally, it can be accessed from anywhere using any standard web browser.
AdventNet, Inc.
Features
Multi-vendor configuration for switches, routers, firewalls and other devices Real-time configuration tracking and change notification Effective Change Management Policies Quick restoration to trusted configurations through a few simple steps Templates for commonly used configurations Automation of important device configuration tasks Encrypted storage of device configuration in database Contextual, side-by-side comparison of altered configuration Provision for searching devices and configuration Examining device configurations for compliance to a defined set of criteria/rules Comprehensive Audit Trails Auto discovery and manual addition of network devices Detailed reports on inventory and configuration changes User friendly, web based user interface
AdventNet, Inc.
Overview
Welcome to AdventNet ManageEngine DeviceExpert! This section provides information on how to install DeviceExpert solution in your system. This section also deals with the system requirements for DeviceExpert, how to install the solution, how to start and shutdown the product, the ports occupied by DeviceExpert and licensing information.
Prerequisite Software
There is no prerequisite software installation required to use DeviceExpert. The standard system (hardware and software) requirements as mentioned below plus an external mail server (SMTP server) are essential for the functioning of DeviceExpert server, to send various notifications to users.
System Requirements
Following table provides the minimum hardware and software configuration required by DeviceExpert: Hardware Processor RAM 1.8 GHz Pentium processor 512 MB Operating systems Windows 2000 Server / Professional Windows Server 2003 Windows XP Professional Windows Vista Red Hat Linux 7.2 Web-Client HTML client requires one of the following browsers** to be installed in the system: IE 7 and above (on Windows) Firefox 2.0 and above (on
AdventNet, Inc.
Operating systems Red Hat Linux 8.0 Red Hat Linux 9.0 Red Hat Linux Advanced Server 2.1 & 3.0 Red Hat Enterprise Server 2.1 & 3.0 Debian GNU/Linux 3.0 (Woody) Mandrake Linux 10.0
Web-Client Windows and Linux) ** DeviceExpert is optimized for 1024 x 768 resolution and above.
Components of DeviceExpert
The ManageEngine DeviceExpert consists of the following components:
The DeviceExpert server consisting of server and database Built-in TFTP server running on port 69 Built-in syslog server running on port 514 JRE 1.5.0 bundled with DeviceExpert MySQL 5.0.36 bundled with DeviceExpert
Installing DeviceExpert
In Windows Download and execute ManageEngine_DeviceExpert.exe. The installation wizard will guide you through the installation process Choose an installation directory - by default, it will be installed in C:/AdventNet/DeviceExpert; Henceforth, this installation directory path shall be referred as "DeviceExpert_Home". While installing DeviceExpert, you have the option to install DeviceExpert as a service. Just uncheck the checkbox, in case, you do not wish to install it as service In the final step, you will see two check-boxes - one for viewing ReadMe file and the other one for starting the server immediately after installation; if you choose to start the server immediately, it will get started in the background. As unpacking of jars will be done during the first startup, it will take sometime to fully start. If you choose to start the server later, after installation, you can start it from the Start >> Programs >> DeviceExpert menu. From the Start Menu, you can perform other actions such as stopping the server, installing it as service, removing as service, viewing help document, uninstalling the product etc.,
In Linux Login as root user Download ManageEngine_DeviceExpert.bin for linux Assign executable permission using command chmod a+x <file-name>
AdventNet, Inc.
Execute the following command: ./<file_name> Follow the instructions as they appear on the screen DeviceExpert is installed in your machine in the desired location. Henceforth, this installation directory path shall be referred as "DeviceExpert_Home".
Start server Stop server Install as Service Remove it as service View Help Document Uninstall the product Check if the ports required by DeviceExpert are free
Start server Stop server Install as service Remove it as service "Port Check" option - to check if required ports are free
Warning: When you reinitialize the DB, all the data would be lost including the device configuration done by you. You need to start afresh from adding devices
In Linux To Start the server Open a console and navigate to <DeviceExpert_Home>/bin directory (as root user) Execute the script "sh deviceexpert.sh start"
AdventNet, Inc.
To Stop the server Open a console and navigate to <DeviceExpert_Home>/bin directory Execute the script "sh deviceexpert.sh stop"
To reinitialize the DB Open a console and navigate to <DeviceExpert_Home>/bin directory Execute the script "sh deviceexpert.sh reinit" Warning: When you reinitialize the DB, all the data would be lost including the device configuration done by you. You need to start afresh from adding devices
Installing the DeviceExpert server as a startup service Login as root user Open a console and navigate to <DeviceExpert_Home>/bin directory Execute "sh deviceexpert.sh install" To uninstall, execute the script "sh deviceexpert.sh remove"
To start DeviceExpert as a service in Linux Login to the system as super user Execute /etc/rc.d/init.d/deviceexpert-service start DeviceExpert server runs in the background as service
To stop DeviceExpert Server started as service in Linux Login to the system as super user Execute /etc/rc.d/init.d/deviceexpert-service stop
To check if the ports required by DeviceExpert are free Login to the system as super user navigate to <DeviceExpert_Home>/bin directory Execute "deviceexpert.sh portcheck"
AdventNet, Inc.
To check if the ports required by DeviceExpert are free The ports mentioned above should be free while starting the server. It is quite possible that any of the above ports might already be in use and as a result, DeviceExpert server would not start. In Windows, you can invoke the 'Port Check' option through Start >> Programs >> DeviceExpert >> Port Check (or) Right click the DeviceExpert tray icon and 'Port Check' option. A prompt will open and it will provide the status of the required ports. In Linux, to invoke the 'port check' option, navigate to <DeviceExpert_Home>/bin directory and invoke "deviceexpert.sh portcheck".
AdventNet, Inc.
Option 2: Install a copy of fresh DeviceExpert on Machine 2. Delete <DeviceExpert_Home>/mysql directory on machine 2 (this step is important) Copy <DeviceExpert_Home>/mysql & <DeviceExpert_Home>/schedule_results folders from the existing installation and paste the same in machine 2
Licensing
There are three license types: Evaluation download valid for 30 days capable of supporting a maximum of 50 devices Free Edition - licensed software allows you to manage up to 2 devices, valid forever Professional Edition - need to buy license based on the number of devices to be supported For more information and to get license, contact sales@adventnet.com
AdventNet, Inc.
10
Overview
This section explains how to connect web interface after starting the server, the basic steps to get started with the product and basic configuration settings required.
Type the username and password in the login screen and press Enter. By default the username and password will be admin and admin respectively.
AdventNet, Inc.
11
Step 2: Provide Credentials This is to enable DeviceExpert communicate with the device. Go to Inventory Tab >> Select a Device >> Click "Credentials". For more details, click here. Step 3: Retrieve Configurations from Device This is to get a copy of device configuration in DeviceExpert. Go to Inventory Tab >> Select a Device >> Click "Backup". For more details, click here. For any assistance, contact support@deviceexpert.com
Compliance Government and industry regulations require IT organizations conform to some standard practices. To become compliant to the regulations such as SOX, HIPAA, CISP, PCI, Sarbanes-Oxley and others, device configurations should conform to the standards specified. The standards could be anything - ensuring the presence or absence of certain strings, commands or values. DeviceExpert provides utilities to automatically check for compliance to pre-defined rules. Reports on policy compliance and violations are generated in real-time.
Reports o o o Reports providing a snapshot of various device configuration details, changes in configuration, network inventory etc., Provision for creating custom reports and for customizing the layouts of existing reports as you like Detailed record of log information related to operations - who invoked what operation, on what device at what time and the result of the operation Record of log information related to scheduled tasks executed by DeviceExpert
AdventNet, Inc.
12
Admin o Support o Product support information Important operational settings can be carried out from this tab
Optional o Configure Proxy Settings - In case, you wish to report any issues encountered with the product to to DeviceExpert Support, internet access is required to upload debug logs. If your enterprise network setup is such that you have to go through a proxy server to access the internet, you need to provide the username and password required for internet access. To do this, navigate to Admin -> Proxy Settings page and configure the settings appropriately. For more details refer to the section on Proxy Settings. Configure options for Disaster Recovery - In the rare event of something going wrong with DeviceExpert, it is important to have a backup of device configuration to recover from the disaster. DeviceExpert provides two utilities to achieve this - backing up the device configuration files or backing up the entire database. Once you have the backup, it is easy to achieve a quick disaster recovery. For more details, refer to the disaster recovery section.
AdventNet, Inc.
13
Adding Devices
Device Addition
Contents Overview How do I add my devices? Discover Devices Manual Addition Importing Devices
Overview
The first step after starting the server and connecting web-interface, is adding your devices to the DeviceExpert inventory. The devices whose configurations are to be managed can be added in bulk or one by one.
Discover Devices
Pre-requisite Discovery can be initiated only for the SNMP-enabled devices. So, ensure that your devices are SNMP-enabled before trying discovery. The Discovery Process The SNMP-enabled devices available in the network can be discovered and added to the DeviceExpert inventory. You can discover a specific device, devices present in a specific IP range and even multiple devices. To Initiate Discovery, Go to Inventory >> New Devices and click "Discover Devices" The discovery wizard provides the option for discovering the devices with specific IP addresses or devices falling under a specific IP range and multiple devices whose details are present in a file. Based on your need for discovery, choose any one of the options for "Discover Devices by".
AdventNet, Inc.
14
Provide SNMP Settings, 1. Select the SNMP version - v1 or v2c. Enter the value for SNMP community - You can enter either a read community or write community. The default community displayed is "public" which is the default "read community" in most of the devices 2. Fill-in other details such as SNMP port, snmp timeout value in milliseconds, retry count for discovery - that is, the number of times DeviceExpert has to repeatedly try to discover the device in case, the device is not getting discovered during the first attempt 3. To initiate discovery, click the button 'Discover'. The wizard will discover the desired device(s) and add them to the inventory. You will find the new device(s) in the inventory list
Format for entries to discover multiple devices from flat files You can even discover multiple devices by simply loading a file containing the device details. Entries in the file need to be in a specific format as detailed below. You have the option to enter hostname or IP address or both of the devices to be discovered. Each entry has to be entered in a separate line. When you enter both hostname and IP address of a host, you need to separate the entries with a space or a tab. For example, typical entries in the file would be something like the ones below: cisco805 catalyst2900 192.168.117.12 foundry2402 192.168.111.2 cisco1710
Tracking Discovery Status After starting discovery of devices, you can track the status of discovery on real time basis. You can find the progress of discovery (that is percentage of completion) and finally the result - whether the device/devices was/were discovered successfully and added to the inventory. In case of failure of discovery process, the probable reason for the failure is also reported. Apart from viewing the status of discovery of a particular attempt on real-time basis, you can even view historical information pertaining to all device discovery attempts made so far and their respective status / result by clicking the link "Discovery Status".
AdventNet, Inc.
15
2. 'Add Device' UI will pop-up. The device can be added by providing hostname/ip address of the device to be added, the device vendor, type, series & model from the drop-down and click "Add" 3. You will see the progress of device addition in the UI and once the device gets added, you will be prompted to enter credentials for the same
AdventNet, Inc.
16
Device Groups
Contents Overview Creating Device Groups Operations Supported for Groups Managing Device Groups
Overview
Sometimes, you might need to group devices based on some logical criteria. For example, you may wish to create groups such as a group containing all cisco routers, or a group containing all cisco switches etc., This would help in carrying out certain common operations with ease. A group can be based on some criteria or could be just a random collection of devices. This section explains how to group devices and perform various operations in bulk for the group as a whole.
6. Click "Save" Once you create a group, the name of the group will be listed under "Device Group" in the left pane.
AdventNet, Inc.
17
Performing operations on a group 1. Go to "Inventory" >> "Device Group" and click the name of the group. Upon clicking this, the Associated Devices would be listed 2. Perform any operation as desired by choosing the relevant menu item
AdventNet, Inc.
18
Overview
Once you add the device to the DeviceExpert inventory, you need to provide device credentials to establish communication between the device and DeviceExpert. Details such as the mode (protocol) through which communication is to be established, port details, login name, password etc. are to be provided.
AdventNet, Inc.
19
A typical device for which Password and Enable Password are configured
AdventNet, Inc.
20
Entering values when login name is enabled and directly going to enable mode
Primary Credentials S.No 1 Credential Login Name Description While establishing connection with a device, if the device asks for a Login Name, set a value for this parameter. This parameter is Optional. To set the Password for accessing the device. The prompt that appears after successful login. When entering into privileged mode, some devices require UserName to be entered. Provide the username if prompted; otherwise leave this field empty. This is for entering into privileged mode to perform configuration operations like backup/upload. This parameter is mandatory. This is the prompt that will appear after going into enable mode.
2 3 4
Additional Credentials Click the link "Additional Credentials" to view/enter values for these parameters. Except TFTP Server Public IP, all other parameters are usually assigned with certain Standard Values by default. Such standard values have been filled for these parameters. Most of the devices would work well with these values and you need not edit these details unless you want to provide different set of details.
AdventNet, Inc.
21
S.No 1
2 3
Description When the device is present outside the private network (i.e. when the private IP of DeviceExpert is not reachable for the device) this parameter can be used to provide the public IP of the DeviceExpert server (NAT'ed IP of DeviceExpert). This IP will be used in Configuration backup via TFTP. Port number of Telnet/SSH - 23 (for Telnet) and 22 (for SSH) by default. The text/symbol that appears on the console to get the typed login name is referred as login prompt. For example, Login: The text displayed on the console when asking for password. For example, Password: The text displayed on the console when asking for Enable UserName. For example, UserName: The text displayed on the console when asking for password. For example, Password:
4 5 6
After providing the credentials, if you want to take a backup of the device immediately after updating the credentials, select the 'backup' checkbox Click 'Save & Test' if you want to test the validity of the credentials; otherwise, click "Update" to apply the values The chosen credentials would be applied to the Device
Once you complete this step - that is, providing credentials, you will find the credentials icon beside the device name in the inventory.
After providing the credentials, click 'Update & Test' This updates the credential values in the DB and then carries out the testing. The result of the testing will be shown in a separate window as below:
AdventNet, Inc.
22
The testing result indicates valid credential values with a green 'tick' mark. The invalid values are marked as red cross marks. You need to change the invalid values. Alongside, the CLI command execution result (through which DeviceExpert ascertains the validity of credential values) is also displayed If you want to test the validity of credentials of a device which has already been given credentials, select the particular device in the inventory, click 'Credentials'. In the Device Credentials page that opens up, click "Test Credentials". Rest is same as above.
Note: The credential testing option is provided only for TELNET-TFTP, TELNET, SSH and SSH-TFTP protocols.
For SNMP-TFTP
User Credential Profile If you have downloaded DeviceExpert and carrying out the settings for the first time, you may skip this 'User Credential Profile' step. DeviceExpert offers the flexibility of creating common credentials and sharing the common credentials among multiple devices. The Common Credentials are known as profiles. For more details click here. Primary Credentials for SNMP-TFTP
S.No 1 2
Description Port number of SNMP - 161 by default. An SNMP community is a group of managed devices and network management systems within the same administrative domain. Each SNMP request packet includes a community name. When a request packet is received, the remote access server looks for the name in its community table: If the name is not found, the request is
AdventNet, Inc.
23
S.No
Credential
Description denied and an error is returned. If the name is found, the associated access level is checked and the request is accepted if the access level is high enough for the request. The SNMP Read Community string is like a user id or password that allows Read-only access to the device. The SNMP Write Community string is like a user id or password that allows Read and Write access to the devices.
Write Community
Additional Credentials Click the link "Additional Credentials" to view/enter values for these parameters. Except TFTP Server Public IP, all other parameters are usually assigned with certain Standard Values by default. Such standard values have been filled for these parameters. Most of the devices would work well with these values and you need not edit these details unless you want to provide different set of details. S.No 1 Credential TFTP Server Public IP Description When the device is present outside the LAN (i.e. when the private IP of DeviceExpert is not reachable for the device) this parameter can be used to provide the public IP of the DeviceExpert server (NAT'ed IP of DeviceExpert). This IP will be used in Configuration backup via TFTP.
AdventNet, Inc.
24
2. In the 'Add Credential Profile' GUI that opens, Provide a Name for the new credential profile that has to be created. This is the name that will appear in the "Use Profile" dropdown Provide a description for the profile. Though this is for reference purpose, filling up this field is mandatory to avoid confusion at any future point of time Fill-up credential values for the desired protocol. [Refer to the description provided above for information about the parameters and guidelines on choosing the values] and click the "Add". The New Credential Profile is created
AdventNet, Inc.
25
Overview
After setting up the devices, the first operation that would be performed is backing up the device configuration. Backup could be done anytime on demand for a single device or a group of devices in bulk. It can also be automated by creating scheduled tasks. Important Terms Backup Operation denotes retrieval of current configuration from device and transfer of the same to DeviceExpert Upload Operation denotes the transfer of the selected configuration from DeviceExpert to the device
AdventNet, Inc.
26
Note: (1) Backedup version will be stored in DeviceExpert only if there is a difference between currently available configuration in the device and the previously backedup version. Otherwise, it is not stored (2) When the Backup operation fails, you can find the reason why it failed, by clicking the status of the operation in the inventory page - that is, by clicking the link "Backup Failed' present under the column 'Operation' in the inventory. Alternatively, you can click the same link in the under the column 'Error Info' in 'Operation Audit' page
AdventNet, Inc.
27
Overview
After adding the device and providing the credentials, the details about the device can be obtained from the inventory tab in the GUI. This section explains how to view various details about the device and viewing the device configuration.
Viewing Devices
The devices added to DeviceExpert can be viewed from the "Inventory >> All Devices"
AdventNet, Inc.
28
Hardware Properties Upon giving credentials and taking backup of device configuration, hardware properties of the device such as chassis details, model number could be fetched and displayed on the device details page. To view the hardware properties, 1. Go to "Inventory >> All Devices" and click the hostname of the particular device whose hardware properties are to be viewed 2. In the GUI that opens up, click the tab "Hardware Properties" the device properties are displayed on the LHS Note: Every time device configuration backup is done, the hardware properties are also fetched and updated. At any point of time, you wish to fetch harware properties, simply execute device backup.
AdventNet, Inc.
29
version of device configuration - startup or running - and save it as a draft as it is or after carrying out some changes. You can also create a new draft altogether
Viewing Current Version (Running & Startup) 1. Go to "Inventory >> All Devices" and click the hostname of the particular device whose configuration is to be viewed 2. In the GUI that opens up, the configuration details are displayed on the RHS 3. Click the link "Current Version" against "Running Configuration" / "Startup Configuration" whichever is required Viewing Baseline Version (Running & Startup) 1. Go to "Inventory >> All Devices" and click the hostname of the particular device whose configuration is to be viewed 2. In the GUI that opens up, the configuration details are displayed on the RHS 3. Click the link "Baseline Version" against "Running Configuration" / "Startup Configuration" whichever is required Viewing History of Running/Startup Configuration The history of changes that were done over the Running/Startup Configuration are listed with version numbers representing the change. In addition, other details such as who effected the changes at what time and also the reason for the change are also listed. To view the running configuration history, 1. Go to "Inventory >> All Devices" and click the hostname of the particular device whose configuration is to be viewed 2. In the GUI that opens up, the configuration details are displayed on the RHS 3. Click the link "Current Version" against "Running Configuration" / "Startup Configuration" whichever is required 4. In the GUI that opens up, the current configuration is shown. The dropdown against the field "Configuration Version" provides the list of all configuration versions. Select the required version. It will be shown in the GUI.
Managing Configurations
Editing Configuration Files You can choose any version in the startup/running history and edit them as draft. To edit configuration files, 1. Go to "Inventory >> All Devices" and click the hostname of the particular device whose configuration is to be edited
AdventNet, Inc.
30
2. In the GUI that opens up, the configuration details are displayed on the RHS 3. Click the link "Current Version" against "Running Configuration" / "Startup Configuration" whichever is required to edited 4. In the GUI that opens up, the current configuration is shown. The dropdown against the field "Configuration Version" provides the list of all configuration versions. Select the required version. It will be shown in the GUI. 5. Click "Edit as Draft" available in the drop-down under "Actions". You may now edit the content. Click "Save". You may upload it to the device immediately (as startup/running configuration) by clicking the link "Upload" in "Actions" Creating New Drafts Instead of editing the startup/running configuration, you can create fresh draft configuration to upload only a few commands - say for updating SNMP community. To create a draft, 1. Go to "Inventory >> All Devices" and click the hostname of the particular device whose configuration is to be edited 2. In the GUI that opens up, the configuration details are displayed on the RHS 3. Click the link "New Draft" against the field "Drafts for this device" 4. In the text editor that opens up, you can create the draft with the required commands and "Save". You may upload it to the device immediately by clicking the link "Upload" in "Actions". You may upload it to the device immediately (as startup/running configuration) by clicking the link "Upload" in "Actions"
Important Note: When you upload a new draft to the running configuration of a device, the difference is merged with the previous version. On the other hand, when it is done on the startup configuration, only the draft contents are uploaded - that means, the previous version will be replaced by the draft contents. So, exercise care while uploading draft to the startup configuration.
AdventNet, Inc.
31
configuration versions. Select the required version, which is to be compared with another version. 5. Go to "Show Difference" button and select an option from the drop-down (Diff with Previous, Diff with Baseline, Diff with Startup/Running, Diff with Any)
Note: If you want to execute show commands on multiple devices at one go, make use of the script execution in configuration templates.
Enabling Real-time Change Detection Refer to the section Real-time change detection
Establishing Telnet Connection You can launch telnet connection with the device from the Device Details page. Once you provide the credentials needed, you would be able to have a telnet console and work with it. To launch telnet connection, Go to "Inventory >> All Devices" and click the hostname of the particular device for which you wish to open a telnet session Go to "Actions" and click the link "Telnet" In the UI that opens up, provide the following credentials: Remote Host: The host to which the session is to be established
AdventNet, Inc.
32
Remote Port: The default is set for telnet(23) Login Name: One of the user name/login name present in the remote host Password: Password for the user Login Prompt: This is the prompt that the device issues for getting the user name Password Prompt: This is the prompt that is issued by the device for getting the password Command Prompt: This is the prompt displayed by the device for each command Click "Connect" Telnet console would be launched
AdventNet, Inc.
33
Uploading Configuration
Uploading Device Configuration
Contents Overview Uploading Uploading Uploading Uploading
Overview
While backup deals with taking a copy of the device configuration and retaining it in the DeviceExpert, Upload refers to the opposite. "Upload" transfers the configuration from DeviceExpert to device. Entire configuration file or even select lines/snippet within a file can be uploaded using DeviceExpert.
AdventNet, Inc.
34
AdventNet, Inc.
35
Overview
Unauthorized configuration changes often wreak havoc to the business continuity and hence detecting changes is a crucial task. Detection should be real-time to set things right. DeviceExpert provides real-time configuration change detection and this section explains the steps to be done for enabling change detection.
1. Capture configuration as and when changes happen 2. Get real-time notifications on change detection 3. Find information on who carried out the change and from where (the IP address) 4. Detect unauthorized changes on real-time
AdventNet, Inc.
36
To detect configuration changes through syslog, 1. Go to the "Inventory" tab. Select the device or devices for which you wish to enable change detection 2. Click the link "Enable Change Detection" available in the drop-down under "More Actions" and fill-in the details To disable configuration change detection, In case, you wish to disable the already enabled configuration tracking, you can do so as follows: 1. Select the device or devices for which you wish to disable change detection 2. Click "Enable Change Detection" available in the drop-down under "More Actions". In the UI that opens, click the option "Disable" for the parameter 'Detecting Config Changes through Syslog'
When a user accesses the device via a telnet console and carries out any changes, the username will be captured under the "Changed By" column of the backedup configuration information. The IP address of the user will be printed in the annotation column.
Troubleshooting Tips
Important Note You may sometimes notice the following message in Syslog Configuration for Change Detection: Device(s) not supporting Configuration Detection through Syslog <device1>, <device2>, <device 3>
AdventNet, Inc.
37
This message is displayed in any of the following scenarios: Device does not generate syslog messages; so syslog-based change detection is not possible Device generates syslog messages for configuration change events but DeviceExpert has not yet added change detection support for this device. If this is the case, contact support@deviceexpert.com In the case of Cisco IOS routers and switches, if SNMP protocol is used for communicating with the device, auto configuration for "syslog based change detection" is not supported. In such a case, you need to manually configure the router/switch to forward syslog messages to the DeviceExpert syslog server. Change Detection will then be enabled. Alternatively, you can choose Telnet as the protocol for communication
AdventNet, Inc.
38
Overview
Monitoring the changes done to the configuration is a crucial function in Configuration Management. DeviceExpert provides convenient change management options. Once the configuration change in a device is detected, it is important that notifications are sent to those responsible for change management. It also provides option to roll-back the changes. DeviceExpert helps in sending notifications in four ways:
1. 2. 3. 4.
Sending Email Sending SNMP Traps Generating trouble Tickets Rolling back to the previous version or the baseline version
And these notifications can be sent whenever there happens a change in 1. Startup or Running Configuration 2. Startup Configuration alone 3. Running Configuration alone
AdventNet, Inc.
39
To provide a name, 1. Go to "Inventory" >> "All Devices" and click the name of the device for which change management has to be enabled 2. Click the tab "Change Management" 3. In the "Change Management" GUI that opens up, click the button "New Rule" 4. Enter 'Rule Name' and 'Description' in the respective text fields
Sending Email Notifications To send email notifications to the desired recipients (based on the change management condition specified earlier), 1. Click the checkbox "Send Email Notification" 2. Enter the Email ids of the intended recipients. If you want to send the notification to multiple recipients, enter the ids separated by a comma. By default, the Email ids configured through Admin >> Mail Settings page are displayed here. You may add new Email ids if required 3. Provide a subject for the notification and the actual message in the respective fields. Here, in the subject and message fields, you have the option to provide details such as Device Name, IP, type of configuration that underwent change (startup/running), and who changed the configuration 4. For this purpose, DeviceExpert provides replaceable tags $DEVICENAME, $DEVICEIP, $CONFIGTYPE and $CHANGEDBY. You may use these tags to provide exact details in the subject and message fields of the notification. Example: $CONFIGTYPE of $DEVICENAME changed
AdventNet, Inc.
40
Explanation: If the $CONFIGTYPE is "Running Configuration" and $DEVICENAME is "Primary Router", the actual message in the notification would be "Running Configuration of Primary Router changed". These tags get replaced with the actual values at runtime. 5. You have the option to append the configuration diff in the message. The difference with the previous version would be pasted in the message field. To enable this option, click "Append Configuration Difference in Message". Click "Save". Sending SNMP Trap SNMP v2 traps could be sent to specific host upon detecting a configuration change. To send SNMP trap to the desired host (based on the change management condition specified earlier), 1. Click the checkbox "Send SNMP Trap" 2. Enter hostname or ip address of the recipient. Also, enter SNMP port and community. Default values 162 for port and public for community 3. Click "Save" Note
The SnmpTrapOid will be .1.3.6.1.4.1.2162.100.4.1.2.1 Varbinds will include the display name of the device whose configuration has been changed, its IP address, the type of configuration that underwent change - startup or running and the login name of the user who changed the configuration. Refer ADVENTNET-DEVICEEXPERT-MIB present under <DeviceExpert Home>/protocol/mibs directory
Generating Trouble Tickets Upon detecting changes in configuration, you have the option to generate trouble tickets to your Help Desk. To generate trouble tickets, 1. Click the checkbox "Generate Trouble Tickets" 2. Enter the Email id of the help desk. By default, the Help Desk id configured through Admin >> Mail Settings page are displayed here. You may add new Email ids if required 3. Provide a subject for the notification and the actual message in the respective fields. Here, in the subject and message fields, you have the option to provide details such as Device Name, IP, type of configuration that underwent change (startup/running), and who changed the configuration 4. For this purpose, DeviceExpert provides replaceable tags - $DEVICENAME, $DEVICEIP, $CONFIGTYPE and $CHANGEDBY. You may use these tags to provide exact details in the subject and message fields of the notification. Example: $CONFIGTYPE of $DEVICENAME chaned
AdventNet, Inc.
41
Explanation: If the $CONFIGTYPE is "Running Configuration" and $DEVICENAME is "Primary Router", the actual message in the notification would be "Running Configuration of Primary Router changed". These tags get replaced with the actual values at runtime. 5. You have the option to append the configuration diff in the message. The difference with the previous version would be pasted in the message field. To enable this option, click "Append Configuration Difference in Message". Click "Save"
Rollingback Configuration
Upon detecting changes in configuration, you have the option to revert to the previous version or to the baseline version. To revert to a configuration version, 1. Click the checkbox "Rollback Configuration" 2. If you want to rollback to the previous version - that is, the version immediately preceding the current version (the changed version), choose "Rollback to previous version". When you choose this option, whenever a configuration change is detected, it will immediately be rolled back to the previous version. For example, if a change is detected in the running configuration of a device, and the new version number (changed one) is 7, it will be automatically rolled back to version 6 3. If you want to rollback to the baseline version - that is, the version labeled as the best one, choose "Rollback to version labeled baseline". When you choose this option, whenever a configuration change is detected, it will immediately be rolled back to the baseline version Note: The rollback feature is for preventing unauthorized configuration changes. So, when you have enabled this feature for a particular device, even a well intended configuration change will also be rolled back. So, if you want to do a genuine configuration change, you need to disable the change management rule.
Important Note: 1. With the completion of the above step, the rule thus created gets automatically associated with the particular device from whose device details page it was created. 2. By following exactly the same steps as above, rules can be created from Device Groups page. When doing so, the rule will be automatically associated with all the devices of the group. 3. The Change Management rule associated with a device/device group can be disassociated anytime from the "Inventory" >> "All Devices" >> "Change Management" GUI.
AdventNet, Inc.
42
To associate a single device with a rule/rules, 1. Go to "Inventory" >> "All Devices" and click the hostname of any of the device 2. Click the tab "Change Management" 3. In the "Change Management" GUI that opens up, click the button "Associate Rules" 4. In the page that opens up, the names of available rules are listed. Select the rule/rules, which are to be associated with the device 5. Click "Associate". The rule is associated with the required device To associate a device group with a rule/rules, 1. Go to the "Inventory" >> "Device Group". Click the name of the required device group 2. In the page that opens up, go to "Change Management" tab and slick "Associate Rules" 3. In the page that opens up, the names of available rules are listed 4. Select the rule/rules, which are to be associated with the device group and click "Associate". The rule/rules are associated with the device group. The rule applies to all devices that are part of the group Important Note: If a rule is modified, the change takes effect for all the devices/groups associated with it.
AdventNet, Inc.
43
Compliance
Contents Overview How does compliance check work? How does compliance check benefit me? How do I enable compliance check? Running compliance check Running adhoc tests
Overview
Government and industry regulations require IT organizations conform to some standard practices. To become compliant with the regulations such as SOX, HIPAA, CISP, PCI, Sarbanes-Oxley and others, device configurations should conform to the standards specified. The standards could be anything - ensuring the presence or absence of certain strings, commands or values. DeviceExpert helps in automatically checking for compliance to the rules defined. Reports on policy compliance and violations are generated.
AdventNet, Inc.
44
1. Add a Rule Define the line or lines that are to be either compulsorily present or should not be present in the configuration file. A typical example for a rule is checking the access list configuration or checking the community string. Decide what amounts to violation - presence or absence of a particular line or a set of lines in the configuration file To add a rule, 1. Go to Compliance >> Rule >> New Rule 2. Enter Rule Name, Description and other details 3. Select 'Simple Criteria' if your requirement is just to check for the presence or absence of a single line or a group of lines in the configuration file 4. If you want to specify more complex criteria using Regular Expression, select 'Advanced Criteria' and then enter the line in the text field. Simple Criteria Criteria Should contain all lines Description The configuration to be checked for compliance should contain all the lines specified by you. Even if a single line is not found, it will be pronounced as 'violation'. DeviceExpert goes about checking the lines (specified by you) oneby-one against the configuration file. It is not necessary that the lines should be present exactly in the same order as specified by you. Since the check is done lineby-line, it is enough if the all the lines are present anywhere in the configuration. Example Criteria: Should contain all lines Configuration lines to check: snmp-server community public RO snmp-server community private RW snmp-server community public1 RO snmp-server community private1 RW Violation: If any or all the lines are NOT present in the configuration file (irrespective of the order of the presence of the lines) Criteria: Should not contain any line Configuration lines to check: snmp-server community public RO snmp-server community private RW snmp-server community public1 RO snmp-server community private1 RW Violation: If any or all the lines are present in the
Exactly opposite to the above. The configuration to be checked for compliance should NOT contain any of the lines specified by you. Even if a single line is found, it will be pronounced as 'violation'. DeviceExpert goes about checking the lines (specified by you) oneby-one against the configuration file. The order of the lines are not important.
AdventNet, Inc.
45
Criteria
Description
This is similar to 'Should contain all lines', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, DeviceExpert will go about checking if all the four lines are present in the same order as specified. If the lines are not present exactly as specified, it will be pronounced as rule violation.
Exactly opposite to the above. This is similar to 'Should not contain any line', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, DeviceExpert will go about checking if the configuration contains the all the four lines in the same order as specified. If the lines are present exactly as specified, it will be pronounced as rule violation.
Example configuration file (irrespective of the order of the presence of the lines) Criteria: Should contain exact set Configuration lines to check: snmp-server enable traps hsrp snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps envmon Violation: If all the lines are NOT present in the configuration file in the same order (and same set) as specified Criteria: Should not contain exact set Configuration lines to check: snmp-server enable traps hsrp snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps envmon Violation: If all the lines are present in the configuration file in the same order (and same set) as specified
Advanced Criteria You can make use of certain Regular Expressions in providing the criteria for checking the configuration for compliance. The following are few examples:
Regular Expression Patterns & Description Matching specific characters Characters inside square brackets can be used to match any of the characters mentioned therein.
AdventNet, Inc.
46
Example: [abc] - This is to look for any of the characters a, b or c. The matching is case-sensitive. Matching a range of characters or numbers Character range inside square brackets can be used to match any of the characters in the range specified therein. The character range could be alphabets or numbers. The matching is case-sensitive. Examples: [a-zA-Z] - This will match any character a through z or A through Z [0-9] - This will match any digit from 0 to 9 Other Specific Matches a dot can be used to match any single character, including space. \d to match any digit from 0 to 9 \D to match any character other than a digit (0-9) \s to match a single space character \S to match any character other than space X? question mark preceded by a character. The character (in the example here 'X') that precedes the question mark can appear at the most once or does not appear at all X* asterisk preceded by a character. The character (in the example here 'X') can appear any number of times or not at all X+ plus sign preceded by a character. The character (in the example here 'X') must appear at least once X|Y characters separated by a pipe symbol. This is to match either first character or the next one. In the example here, this is to match either X or Y For more details, refer to the "Regular Expression Tutorials" of Java Tutorials. More Examples: Description To check if there is a 'public' community present in the configuration To check if logging to a syslog server has been configured To check if enable secret is configured RegEx Pattern snmp-server community public RO|RW - to match any line containing the text "snmp-server community public" followed by either "RO" or "RW" logging \S+ - to match any line containing the text "logging" followed by an ip address enable secret \d \S+ - to match any line containing the text "enable secret" followed by any single digit from 0 to 9 AND any character other than space appearing at least once
AdventNet, Inc.
47
Description The configuration to be checked for compliance should contain the line matching the RegEx pattern specified by you.
The configuration to be checked for compliance should not contain the line matching the RegEx pattern specified by you.
Two or more RegEx patterns defined for 'Should Contain' or 'Should not contain' could be combined through AND/OR conditions
Example Criteria: Should contain line(s) as per the RegEx pattern defined Configuration lines to check: snmp-server community public RO|RW Violation: If the line "snmp-server community public" followed by either "RO" or "RW" is NOT present Criteria: Should not contain line(s) as per the RegEx pattern defined Configuration lines to check: snmp-server community public RO|RW Violation: If the line "snmp-server community public" followed by either "RO" or "RW" is present --
Finally, specify the severity for violation. Click "Save". 2. Group the Rules You can create many rules to cater to specific requirements. A 'Rule Group' refers to a collection of rules. Create a 'Rule Group' by selecting the required rules. To create a rule group, 1. Go to Compliance >> Rule Group >> New Rule Group. Enter Rule Group Name, Description and other details 2. Select the rule/rules to be added to this group. Click "Save". 3. Create Policy Once a rule group is created, you can go ahead to create the required compliance policy by selecting the required Rule Groups. Compliance check is done on all policies associated with a device.
AdventNet, Inc.
48
To create a policy, 1. Go to Compliance tab >> Policy >> New Policy. Enter Policy Name, Description and other details 2. Specify the configuration file type (running/startup) against which the rules in this policy should be checked. For example, if you choose 'Running' only the current running configuration of the device will be checked for compliance with this policy 3. Select the 'Policy Violation Criteria' - i.e specify what amounts to policy violation - your policy might contain different rules with different severities; you can specify here as violation if any rule (irrespective of the severity is found violated) (OR) only crtical or major rules are violated 4. Select the required rule groups and click 'Save' 4. Associate Devices with Compliance Policy After creating a policy, you need to associate it with the required devices/device groups. To associate a policy with a device/devices, 1. Go to Compliance tab >> Policy. Click the link 'Associate' present against the policy 2. Select the devices / device groups and click 'Save'
AdventNet, Inc.
49
To run compliance check for a device group, 1. Go to "Inventory" >> "Device Group" page and click device group for which compliance check has to be run 2. Click the tab "Compliance" 3. Click "Run Compliance Check" present under the box "Compliance Actions". You can even add a schedule for compliance check to be executed at a future point of time. To schedule this, click "Schedule Compliance Check" and fill in the details. When you schedule compliance check, you get the option to notify policy violations to desired recipients by email To view the result & generate compliance report, 1. Compliance status of the selected device group will be displayed in the same page. The compliance result for each device which forms part of the group is displayed in the table. If the device group is associated with more than one policy, the compliance check result for each policy is displayed in the table. 2. You can generate a consolidated report of compliance check result for the device group. The report provides the compliance status and violation details for every device in the device group. The report can be generated as a PDF/CSV and it can even be emailed to desired recipients
AdventNet, Inc.
50
Overview
DeviceExpert deals with the sensitive configuration files of devices and in a multimember work environment, it becomes necessary to restrict access to sensitive information. Fine-grained access restrictions are critical for the secure usage of the product. DeviceExpert provides role-based access control to achieve this. DeviceExpert comes with three pre-defined access levels:
Definition
With all privileges to access, edit and push configuration of all devices. Only administrator can add devices to the inventory, add users, assign roles and assign devices. In addition, administrator can approve or reject requests pertaining to configuration upload (pushing configuration) by operators. With privileges to access, edit and push configuration of specified devices. Can approve or reject requests pertaining to configuration upload (pushing configuration) by operators. With privileges to access and edit configuration of specified devices. Can send requests for configuration upload (pushing configuration) to Administrators/Power Users.
Power User
Operator
This section explains how to create users and assign roles for them.
User Management
User Management Operations such as adding new users and assigning them roles, editing the existing users and deleting the user could be performed only by the Administrators. Other three types of users do not have this privilege. Administrators can create as many users as required and define appropriate roles for the user. From Admin >> General Settings >> User Management, administrators can 1. View all the existing users 2. Create new users 3. Change the access level, device list of existing users
AdventNet, Inc.
51
4. Delete an existing user To view the existing list of users Go to Admin >> General Settings >> User Management. The list of users will be displayed with respective login names, access levels and email IDs Note: The default login name and password for fresh DeviceExpert installation is 'admin' and 'admin' respectively. The default email ID has been configured as admin@adventnet.com. After logging in to the DeviceExpert, change the email ID for admin user. Otherwise, when you invoke 'forgot password' email would be sent to admin@adventnet.com.
AdventNet, Inc.
52
To Delete existing Users 1. Go to Admin >> General Settings >> User Management 2. In the UI that opens, click the delete icon present against the respective username. The user will be removed from DeviceExpert once and for all
Access Level Device Addition Upload (Pushing configuration into the device)
Configuration & Other Operations Authority for approving various requests Compliance Admin Operations User Management
Administrator (create, associate compliance policies) Power User (only for authorized devices) (only associate compliance policies) (all admin operations except database administratio n, export configuration & disaster recovery)
Operator (only for authorized devices, subject to approval by administrator / Power User)
AdventNet, Inc.
53
To approve/reject a request, Go to "Admin" >> "Device Management" >> "Upload Requests" Click "Pending requests". The list of all requests pending for approval are listed. Details such as the type of request, name of the user who made the request and requested time are all listed Upon clicking a request, all details pertaining to that particular request are listed. You can view the proposed configuration change. Click "Approve" or "Reject" after providing your comment for the decision
[Operators can view the status of their request by following the above procedure].
Note: 1. When Administrators approve a upload that is scheduled to be executed at periodic intervals, the following will be the behaviour: Once approved, the upload schedule will not be sent for re-approval during the subsequent executions. For example, consider that a schedule has been created by an operator to upload configuration at a periodic interval of one hour. In this case, the schedule would be submitted for approval only once. If the administrator approves it, it will get executed every hour. From the second schedule onwards, it will not be sent for approval each time. 2. In case, the Administrator/Power User rejects an upload request based on a Schedule, the respective request will be deleted from the database.
AdventNet, Inc.
54
Overview
Quite often, there arises a need to carry out changes to the running configuration of devices and at times, same set of changes need to be applied to multiple devices. Though network administrators can very well edit the configuration manually, the task can prove to be arduous due to the volume of changes and the repetitive nature of the work. DeviceExpert provides a simple solution for this by way of 'Configuration Templates' and 'Scripts'.
AdventNet, Inc.
55
AdventNet, Inc.
56
To execute the Script in Commandline mode, 1. Go to "Admin" >> "Device Management" >> "Custom Templates" and click the 'Execute' link present under the "Action" column of the respective template 2. In the UI that opens, you will see the list of 'Template Variables', if a variable has been created/defined in the template. Enter the desired value for the respective template variables. For example, for '%COMMUNITY%', you can provide 'public' as the value. After entering the values(s), you can preview the actual configuration with full configuration commands and value for community variable(s). To preview the configuration, click 'Preview' 3. To apply changes only to specific devices, click the radio button 'Select Specific Device'. The list of devices are also listed in a box. You can choose any number of devices from that list. [To apply changes to a group of devices, click 'Select Device Group'. You can select the desired group in the drop-down. If you choose this option, the template would be uploaded to all the devices of the selected group] 4. Click 'Execute'. the configuration as defined in the template will be executed on the selected devices. Click the link 'Script Execution History' present under the column 'Execute Output' to the actual output of the commands. If you have executed the script on multiple devices, you can choose the device name from the dropdown to view the output separately. If you want the script execution output on all devices in a single page, click 'Export to PDF'. It will have the output for all the devices on which the script was executed Note: Command line script execution is not supported for the devices with the protocol 'SNMP-TFTP'
AdventNet, Inc.
57
Updating NTP server entries on your devices If you wish to update NTP server details in many details, all that you need to do is to create a template as the one below: configure terminal ntp server x.x.x.x exit Synchronizing Running & Startup Configurations Just through a single line in the script, you can synchronize the startup and running configurations of any number of devices. copy running-config startup-config or copy startup-config running-config The above are just an indicative list to demonstrate how the scripts could be used. You may use it for a lot of other applications. Few more examples are available in our website. Please refer to them.
AdventNet, Inc.
58
Audit
Contents Overview Viewing operation Audit Details Viewing Scheduled Audit Details
Overview
Users perform various operations on device configuration such as backing up the configuration, uploading configuration to device, enabling real-time change detection etc., To ensure security aspects, it is essential to record the information on who invoked what operation, on what device, at what time and the result of the operation. This is done by the Audit module of DeviceExpert and this is termed as "Device Operation Audit". Besides, information about the various scheduled tasks executed by DeviceExpert along with details such as schedule name, result of execution etc., are listed by the Audit Module under "Schedule Audit".
To filter the Audit Trails view, You can restrict the view page of audit trails to view only the trails pertaining to a device group and/or the trails that were generated over a fixed time range - say Today, Yesterday, Last seven days, Last thirty days and a custom period. By
AdventNet, Inc.
59
default, audit trails pertaining to all device groups recorded today gets listed. You can filter and view the details in accordance with your needs. You can filter the trails by selecting the desired "Device Group" from the drop-down and the desired "Time Duration" from the icon available in the UI.
AdventNet, Inc.
60
Reports
Contents Overview Types of Reports Network Reports Configuration Reports User Reports Policy Compliance Reports
Overview
The information on the entire network configuration management process in your enterprise is presented in the form of comprehensive reports vin DeviceExpert. The status and summaries of the different activities such as device configuration details, changes in configuration, network inventory, conflict between startup and running configuration, device audit details, policy compliance details etc are provided in the form of tables and graphs, which assist the network administrators to make a well-informed decisions on device configuration.
Types of Reports
DeviceExpert provides over 12 reports under four categories: 1. 2. 3. 4. Network Reports Configuration Reports User Reports Policy Compliance Reports
Network Reports
All details pertaining to the device properties, hardware properties, firmware details, audit details pertaining to the devices etc have been presented under Network Reports. To access the Network Reports, just go to the "Reports" tab.
Report Name
Hardware Inventory Report
Additional Information
In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page.
AdventNet, Inc.
61
Report Name
Firmware Inventory Report
Additional Information
In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page. In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page. In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page.
In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page.
In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page.
AdventNet, Inc.
62
Additional Information
In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page.
Devices (of each device group) whose startup and running configurations differ are presented in this report. In addition, there is provision to view the difference between the startup and running configurations. The report is displayed on 'device group' basis. Click "StartupRunning Conflict Report" in the "Reports" tab to generate the report. Devices (of each device group) that have undergone changes in configuration are presented in this report. The report is displayed on 'device group' basis. Click "Configuration Changes Report" in the "Reports" tab to generate the report. Details on the number of configuration changes done on the configuration of devices (of all device groups) during a particular time period are captured along with the mode of configuration change - whether the changes were done through DeviceExpert or directly from outside the application are captured. The report is displayed on 'device group' basis. Click "Configuration Change Trend Report" in the "Reports" tab to generate the report.
In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page. In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page.
AdventNet, Inc.
63
Additional Information
--
Additional Information
In the report display page, you can view the report for the each group by selecting the respective group name in the 'Device Group' drop-down on the top of the page.
AdventNet, Inc.
64
Scheduling Tasks
Adding Schedules
Contents Overview Adding schedule o Periodic Configuration Backup task o Periodic Report Generation o Schedule for Compliance Check Audit of Scheduled Task Execution Managing Schedules
Overview
If you have a large number of devices, carrying out operations such as backup, upload etc., become monotonous, if they are to be done manually. You might also require to perform certain operations at regular intervals. Execution of these operations can be automated - that is they can be scheduled for execution at the required time automatically. Tasks such as
for a specific device or group of devices could be scheduled for execution at a future point of time. These tasks can be scheduled for automatic execution at periodic intervals or for an one-time execution.
AdventNet, Inc.
65
select the recipients to whom notifications are to be sent. Sending notifications is optional. Finally, click "Save"
AdventNet, Inc.
66
2. In the UI that opens, click the link "View" in Audit column of each schedule Audit can also be viewed from the "Device Details" page of the respective devices.
Managing Schedules
The scheduled tasks once created, can be managed from the "All Schedules" UI from where you can 1. view the properties of scheduled tasks 2. edit the scheduled tasks 3. remove the schedules Viewing the Properties of Scheduled Tasks To view the properties of scheduled tasks, 1. Go to "Admin" >> "Device Management" >> "All Schedules" 2. Click the name of the schedule whose properties are to be viewed Editing Schedules To view edit the properties of scheduled tasks, 1. Go to "Admin" >> "Device Management" >> "All Schedules" 2. Click the name of the schedule whose properties are to be edited 3. Edit the details and click "Save" Enabling/Disabling Schedule At times, you would require to temporarily stop the execution of a scheduled task and would like to resume it again at some other point of time. To disable a schedule, 1. Go to "Admin" >> "Device Management" >> "All Schedules" 2. Select the name of the schedule which is to be disabled and click "Disable" To enable the schedule, click "Enable"
Removing a Schedule If a scheduled task is not needed, you can remove it from the list of schedules. To remove a schedule, 1. Go to "Admin" >> "Device Management" >> "All Schedules" 2. Select the name of the schedule which is to be disabled and click "Disable" 3. Click "Remove"
AdventNet, Inc.
67
Overview
When the number of devices in your work environment becomes too many, it becomes difficult to manually spot a particular device from the inventory. DeviceExpert provides search utility to get the desired devices at the desired moment. This apart, the search utility enables you to search through the device configuration and look for specific words, strings, phrases or a combination of these in device configuration files. This section explains about searching the 1. devices & 2. device configuration
Searching Devices
You can make a search for a particular device or a group of devices among all the available devices in your inventory. When you enter a keyword in the search dialog to search for a device, the following five attributes are searched: 1. 2. 3. 4. 5. Host Name IP Device Type Series Model
This search is basically a 'contains' search. If the keyword entered by you is present in any of the above fields, it will be returned as a search result. To search devices, 1. Go to the search dialog located in the right corner, just below the DeviceExpert tabs on top of the Web Interface 2. Enter the search keyword 3. Click the link "Devices" located next to the search dialog Note: Search is case sensitive. So, use proper cases for search keywords.
AdventNet, Inc.
68
A Note on Search Keywords 1. For searching a device, you can enter a single word or multiple words, each word separated by a space. For example, if you type the word 'cisco' in the search dialog, all the devices that contain the word 'cisco' in any of the five fields mentioned above would be displayed in the search result. If this word is found in more than one field for the same device, the search result will still have only one entry but with highlights for all fields that matched. 2. You can even enter more than one keyword for searching. For example, if you enter 'cisco router', the five fields pertaining to all the devices would be scanned. The fields that contain either 'cisco' or 'router' or both get displayed as search results. You can enter as many words as required, separating each word by a space.
AdventNet, Inc.
69
Combination of Words & Phrases Your search keywords can even be a combination of words and phrases. Current Startup and Running Configuration files are scanned for the words or phrases or both and the search results are displayed accordingly. Matching keyword/phrases are shown highlighted in the configuration file. Refining Configuration Search DeviceExpert gives the option to refine the configuration search further by enabling you to search for a keyword or a phrase or both within the configuration files of certain specified devices or a group of devices. Even the option of searching only the current startup or current running configuration of a particular device or a group of devices, is available. To refine configuration search, 1. Go to the search dialog located in the right corner, just below the DeviceExpert tabs on top of the Web Interface 2. Enter the search keyword 3. Click the link "Configuration" located next to the search dialog 4. Files with matching entries in all the startup & running configuration files are displayed 5. Click the link "Refine Search" available in the right corner 6. In the UI that opens, select the device(s) or device group whose configuration is to be searched 7. Click "Search"
Note: The number of search results are displayed on top of the search results page. For device search, the number of device matches is shown at the top whereas for configuration search, the number of file matches is shown. The search results are displayed at the rate of 10 per page, with provision for navigating from page to page.
AdventNet, Inc.
70
Admin Operations
Contents Overview Device Management Operations General Settings Tools
Overview
While configuring DeviceExpert for usage in your network, you can perform certain administrative operations. The operations are classified under three categories 1. Device Management 2. General Settings 3. Tools This section provides information on all the operations classified under the above categories.
Device Management
The following eight operations have been classified as 'Device Management' Operations 1. 2. 3. 4. 5. 6. 7. 8. Custom Templates All Schedules Change Management Credential Profiles Show Commands Upload Requests Label Management Export Configuration
Custom Templates
Refer to the section 'Automation using Templates & Scripts'
All Schedules
Refer to the section 'Scheduling Tasks'
Change Management
Refer to the section 'Configuration Change Management'
AdventNet, Inc.
71
Credential Profiles
Refer to the section 'Sharing Common Credentials Across Devices'
Show Commands
Refer to the section 'Viewing Device Configuration Details'
Upload Requests
The list of the configuration upload requests made by the Operators and the status of approval by 'Administrators' or 'Password Administrators' are shown here. 1. Go to "Admin" >> "Device Management" >> "Upload Requests" 2. In the UI that opens, the following details are displayed. Pending Requests - Showing the list of all requests that are pending approval Approved Requests - Showing the list of all requests that were approved by 'Administrators' or 'Password Administrators' Rejected Requests - Showing the list of all requests that were rejected by 'Administrators' or 'Password Administrators' along with the reason for rejection.
Label Management
For any version of configuration, you can associate a label - that is, a unique tag. As configuration versions keep on changing, you will have difficulty in remembering the version number of a particular good configuration. To avoid that, you can associate the version with a label for easy identification. You can associate labels directly for the current configuration of any device. Labels can be associated with any other desired version also. Creating Labels You can create any number of labels and use them whenever needed - that is, associate them with desired configuration versions. To create labels, 1. Go to "Admin" >> "Device Management" >> "Label Management" 2. In the UI that opens, click "New Label". Provide a name for the label and in the textfield for "Description" provide details for future reference [to remember and identify the label] and click "Save" 3. The new label has been created; the name of the label will be listed in UI; it will be listed in all the drop-downs that are related to associating a label Labeling current Configuration The current startup and running configuration of any device or group of devices can be labeled with a unique tag. This labelling comes in handy when you want to revert to that particular configuration version. This tagging would also be useful for reverting to a previous good version in the event of a disaster.
AdventNet, Inc.
72
To put a label to a current configuration of a device or a group of devices, 1. Go to "Inventory" and select the devices whose current configurations are to be labeled 2. Click the button "More Actions" >> "Label Current Configuration" 3. In the UI that opens, you can select a label from the available labels OR you can create a new label. In the text field for "Description" provide details for future reference [to remember and identify the label] and click "Update" Note: You can label the current configurations of devices belonging to a device group from the "Inventory" >> "Device Group" >> <Name of the Device Group> >> "More Actions" >> "Label Current Configuration". Putting Labels to desired versions You can associate labels to any desired configuration version. To associate label for a specific version of a particular device, go to "Inventory" >> "All Devices" >> go to the "Device Details" page by clicking the name of the device. Click "Current Version" against Startup/Running as required and select the desired configuration version from the drop-down; click "Associate Label" and follow the steps detailed above.
Export Configuration
Refer to the section 'Disaster Recovery'
General Settings
The following nine operations have been classified as 'General Settings': 1. 2. 3. 4. 5. 6. 7. 8. 9. User Management Change Password Mail Settings Proxy Settings Trouble-Ticket Settings SNMP Trap Settings Database Administration Database Backup Log Level
User Management
Refer to the section "Role-based user access control"
Change Password
Users having an account with the DeviceExpert, can change their own password and email ID. The "Edit Account settings" tab facilitates changing of password and email ID. Using this tab, the currently logged in user can change his/her password and email ID alone.
AdventNet, Inc.
73
For Users with Administrative Privileges Users having admin privileges can change their login password through the 'Edit Account Settings' functionality of "Admin" Tab. To Change Login Password and/or email address 1. Go to "Admin" >> "General Settings" >> "Change Password" 2. Enter details such as old password, new password, confirm the password, change the email address if required and click "Save"
Mail Settings
DeviceExpert sends various notifications to the users (for example, reports) using an SMTP mail server running in your network. This section explains how to specify the SMTP server details and entering email IDs. To specify SMTP Server details, 1. Go to "Admin" >> "General Settings" >> "Mail Settings" 2. Enter SMTP server name in the text field, enter SMTP port and enter username and password, if your SMTP settings require authentication 3. In the text field for 'From' or 'Sender' address, specify the email id of the originator of the email; by default, the from address is specified as 'noreply@adventnet.com'. 4. After configuring the 'Mail Settings', you can test if connection could be established with your server. Click "Test". DeviceExpert will attempt to establish connection with your mail server. If the configuration is proper and if DeviceExpert is able to establish a connection, you will see the message "Mail Server connection established successfully". 5. Click "Save", if you have changed SMTP settings By default, the SMTP server runs in the port 25. You can specify any other SMTP server also.
Proxy Settings
In your enterprise network setup, you might need to go through a proxy server to access the internet. In such a case, you need to configure the username and password for internet access. This section explains how to carry out proxy configuration. To configure proxy settings, 1. Go to "Admin" >> "General Settings" >> "Proxy Settings" tab The parameters to be configured are: HTTP Proxy Host: Host name of the proxy server (eg: proxy-server) HTTP Proxy Port: Port number at which the server is running (eg: 80) Username to access the internet Password
After configuring the 'Proxy Settings', you can test if connection could be established with the proxy server. To test, just click the button "Test" of "Test Mail
AdventNet, Inc.
74
Server". DeviceExpert will attempt to establish connection with proxy server. If the configuration is proper and if DeviceExpert is able to establish a connection, you will see the message "Success".
Database Administration
In typical production environments, DeviceExpert would deal with a huge amount of data related to device configuration. Audit logs on who performed what operation and when, also gets piled up in the database. Over a period of time, it becomes too huge a size. If you want to remove unwanted data, you can do periodic database cleanup. You can perform two types of cleanup operations: 1. Device Audit cleanup 2. Configuration History Cleanup To cleanup device audit logs, 1. Go to "Admin" >> "General Settings" >> "Database Administration" 2. In the UI that opens up, select the checkbox below 'Device Audit Cleanup'. The audit logs generated prior to a specified number of days could be deleted. For example, if you choose '10 days', all audit logs older than 10 days will be deleted. Also, at any point of time, the audit logs of the recent 10 days alone would be maintained. You can select the days in the range of 10,20,30,60,90 and 120 from the drop-down 3. Click 'Save'
AdventNet, Inc.
75
Configuration History Cleanup 1. Go to "Admin" >> "General Settings" >> "Database Administration" 2. In the UI that opens up, select the checkbox below 'Configuration History Cleanup'. You can specify the maximum number of configuration versions that are to be kept in the database for each device and each configuration type. For example, if you choose to keep 10 versions in the history, only the most recent 10 versions would be kept in the history. This applies independently for each configuration type - that is, latest 10 versions in startup and 10 versions in running would be kept in the history. You can select the number in the range of 10,20,30,40,50 and 100 from the drop-down 3. Click 'Save' Important Note: While removing older versions, as per the number set by you, the following rule would be applied. While removing the versions, BASELINE version and those versions above it will not be removed. For example, if you want to keep only the latest 10 configuration versions in the history and if there are say 15 versions at present, DeviceExpert will start removing the versions 1,2,3,4 & 5. While doing so, if, say version 3 has been labelled as BASELINE, DeviceExpert will immediately stop the deletion process. Versions 1 and 2 alone would be removed. All versions from 3 to 15 would be left undisturbed even though you have preferred to keep only 10 versions in the history.
Database Backup
Refer to the section on 'Disaster Recovery'
Log Level
In the event of any issues, DeviceExpert server logs help us in getting to the root of the issue. Printing of log messages can be controlled through the two log levels. This section explains how to set the desired level. Setting Server Log Level Printing of log messages can be controlled through the two log levels - DEBUG and INFO. DEBUG level prints all messages and it is useful for debugging purposes. The other level INFO prints some information messages. The default Log Level is 'INFO'. To modify Log Levels, 1. Go to "General Settings" >> "General Settings" >> "Log Level" 2. In the UI that opens, select the desired log level from the drop-down and click "Save"
AdventNet, Inc.
76
Tools
DeviceExpert provides tools to enable administrators perform various administrative operations. At present, two tool are available: 1. Database Access tool to access the in-built database of DeviceExpert to execute standard queries 2. SysObjectID Finder to get the sysObjectID of devices
Accessing Database
To access the Database, 1. Go to "Admin" >> "Tools" >> "Database Console" 2. In the console, enter the query to be executed [only 'select' 'delete' and 'update' queries are supported] Remember the following when executing a query, 1. Table names and table columns are case-sensitive 2. For SELECT queries, set the row limit between 1 and 500. Default row limit is 10 Warning! You are directly accessing the database at your own risk. Any update or delete operations will result in loss of data.
AdventNet, Inc.
77
Disaster Recovery
Contents Overview Backing up Device Configuration Files Backing up the Entire Database Restoring Backedup Data
Overview
In the rare event of something going wrong with DeviceExpert, it is important to have a backup of device configuration to recover from the disaster. DeviceExpert provides two utilities to achieve this: 1. Backing up the device configuration files 2. Backing up the entire database Once you have the backup, it is easy to achieve a quick disaster recovery. In the DeviceExpert GUI, tools have been provided to export the configuration files & backing up the database. Besides, scripts have been provided to facilitate backup of configuration files or database when DeviceExpert server is not running.
AdventNet, Inc.
78
To schedule export of configuration files, 1. Go to "Admin" >> "Device Management" >> "Export Configuration" 2. In the UI that opens up, select the desired option - Daily, Weekly or Monthly. Also, choose the desired time/day/date accordingly 3. You can even intimate the result of the export operation (whether success/failure) to desired recipients via email. Just enter the required email id in the text field 4. Click 'Save' 5. The schedule will get executed at the required time. You can view the result of the execution by clicking the link 'View Execution History' present at the top right hand corner 6. The exported configuration files will get stored under <DeviceExpert_Home>/config_backup directory Note: To disable the execution, select the 'Never' option. Exporting Configuration files when DeviceExpert Server is not running DeviceExpert provides a script, which will generate configuration files of each device in text format and store it under a separate directory. To take backup of configuration files, 1. Open a command prompt and navigate to <DeviceExpert_Home>/bin directory 2. Execute configbackup.bat (in windows) OR sh configbackup.sh (in Linux) 3. A new directory "config_backup" will be created under <DeviceExpert_Home> and the configuration files will be saved under this. 4. The filename will be of the format: <ResourceName>_<FileType>.txt. For example, cat2900_Running.txt and cat2900_Startup.txt You can take a backup of 'config_backup' directory through your own automated backup mechanism.
5. Click 'Save'. The schedule will get executed at the required time. You can view the result of the execution by clicking the link 'View Execution History' present at the top right hand corner 6. The backup files will get stored under <DeviceExpert_Home>/Backup directory Note: To disable the execution, select the 'Never' option. Taking Backup when DeviceExpert Server is not running DeviceExpert provides a script, which will take backup of DeviceExpert DB and store it under a separate directory. 1. Open a command prompt and navigate to <DeviceExpert_Home>/bin directory 2. Execute backupDB.bat (in windows) OR sh backupDB.sh (in Linux) 3. A new directory "Backup" will be created under <DeviceExpert_Home> and the contents of the DB are saved under this directory 4. The filename of the DB backup contents will be of the format: <YY-MMDD>-<TIME>.zip. For example, 060915-1508.zip (That is, backup created at 15:08 hrs on 15 September 2006) You can take a backup of 'Backup' directory through your own automated backup mechanism. To restore the backedup contents, Before restoring the backedup contents in DeviceExpert, make sure you reinitialize the database. The restoration process takes the following steps: 1. Open a command prompt and navigate to <DeviceExpert_Home>/bin directory 2. Execute deviceexpert.bat/sh reinit 3. Once reinitializing the DB is completed, execute restoreDB.bat <DB Backup file name> (in windows) OR sh backupDB.sh <DB Backup file name> (in Linux)
AdventNet, Inc.
80
Troubleshooting Tips
Contents Installation, Un-installation, Startup and Shutdown Web Interface Miscellaneous
Note: We update the Troubleshooting Tips section constantly. Please refer to the troubleshooting tips section in our website for updated details.
Web Interface
While trying to connect web-client, I see a blank page with five small square boxes on top. Why ? Cause & Solution: In Internet Explorer, if you have tried to connect client using http://<host>:6060, this issue will arise. Since the DeviceExpert server and the Web Interface communicate through https, make sure that you connect to https://<host>:6060 (secure http).
AdventNet, Inc.
81
I am unable to access DeviceExpert Server through the Web Interface. Why? Cause Incomplete server start-up Solution Ensure that the server has successfully started. This can be verified by the presence of the message "Server started in :: [xyz ms]" in the console. Connect to the web client after seeing this message. DeviceExpert server and the Web Interface communicate through https. So ensure the URL contains HTTPS. https://<hostname>:port/ For e.g. https://localhost:6060 Check the log files available under <DeviceExpert_Home>/logs directory. If you find any exceptions, please send the log files to support@deviceexpert.com
Wrong URL
While trying to connect web interface, I get the message "Problem in starting TFTP Server. Free the port "69". Cause: TFTP port required by DeviceExpert is not free. Some application running in your machine might be using that. Solution: Free the port and then start DeviceExpert. In case, you are running ManageEngine OpManager or ManageEngine WiFiManager in the same machine as that of DeviceExpert, carryout the following changes to free the TFTP port. Check if the TFTP service is running when OpManager/WiFiManager is running. If yes, comment out the following lines in NmsProcessesBE.conf located in <OpManager_Home>/conf or <WiFiManager_Home>/conf directory as shown below: # java com.adventnet.nms.tftp.NmsTftpServer [TFTP_ROOT_DIRECTORY dir] [PORT portNo] #PROCESS com.adventnet.nms.tftp.NmsTftpServer #ARGS TFTP_ROOT_DIRECTORY / Save the file and restart OpManager/WiFiManager. Then start DeviceExpert.
While invoking deviceexpert.bat portcheck or sh deviceexpert.sh portcheck / while trying to start the server, I get a message like the one below: ----------------------------------------Port Availability Module ----------------------------------------6060 No Client 43306 No mysql 69 No TFTP 514 No Syslog
AdventNet, Inc.
82
################################################## ########################### Server is already running Connect to https://localhost:6060 to view the client ################################################## ########################### Press any key to continue . . . Cause & Solution: Since all the ports required by DeviceExpert are not free, it indicates that DeviceExpert server is already running. Try connecting to https://localhost:6060 to view the web interface My web interface looks crippled Cause Incompatible Browser Solution Refer to the DeviceExpert System Requirements, and check whether your browser is supported. JavaScript has to be enabled in your browser for you to work with the Web Interface.
Alignment in web interface is not proper Cause: This could be a problem with browser cache Solution: Close all browser instances, clear cache and cookies and connect a new instance. If the problem still persists, contact the support team at support@deviceexpert.com
Miscellaneous
Configuration Backup Fails Cause & Solution: (1) Check if the device is up and accessible to the DeviceExpert server (2) Telnet to the device and try executing configuration backup command. While doing so, give the DeviceExpert server address as the TFTP address (because DeviceExpert starts TFTP server along with it). If the backup operation is successful, (that is, if you see backedup configuration stored as a file under <DeviceExpert_Home>/tftp_files directory), backup should also work with DeviceExpert. If the backup fails from Telnet prompt itself, check if DeviceExpert server and device are separated by a firewall which might block the configuration file transfer to the TFTP server. If you still face issues, contact support@deviceexpert.com. When I use Telnet-Tftp option, configuration backup fails repeatedly. Why? Cause: You would face this scenario if the device credentials are incorrect
AdventNet, Inc.
83
Solution: Make sure that credentials are correct. Test the same using "Testing" option available in that screen. The test result will show which credentials are wrong. Change them accordingly. In case, you are not able to get it working even after ensuring this, send your log files to DeviceExpert Support for further assistance While trying to connect web interface, I get the message. I get the message "IPAddress of machine is returned as loop-back-address" . Cause: When DeviceExpert queries for machine IP through a java program, if it returns 127.0.0.1 (loop-back address) instead of actual IP, this issue would occur. This can be verified by executing the command "ping <host_name>". Response will be something like the one below: 64 bytes from <host_name> (127.0.0.1): icmp_seq=1 ttl=64 time=0.025 ms 64 bytes from <host_name> (127.0.0.1): icmp_seq=1 ttl=64 time=0.025 ms Solution: For Linux: To solve this, try the following configuration change if your machine is configured with static ip address. In /etc/hosts file you might see the entries as 127.0.0.1 localhost.localdomain localhost <host_name> Change this to 127.0.0.1 localhost.localdomain localhost <ipaddress> <host_name> After doing this change, do the ping test again "ping <host_name>" and make sure that correct IP address is returned from it. For Windows: Verify IP configuration settings. After DeviceExpert startup, I am prompted to accept a security certificate. Why? Cause: After DeviceExpert server startup, a browser is launched for connecting web interface. Since DeviceExpert uses secure http, the security certificate is prompted. You need to accept the security certificate for connecting to the client. Can I use my own SSL certificate? How? Yes, you can add your own SSL certificate. Detailed procedure is available in our website. Mail sent from product does not reach the intended recipient Cause: Mail settings might be incorrect Solution: Verify Mail Server settings and test the same using "Test" option. Also, check if the default from address is properly configured in Mail Settings page.
AdventNet, Inc.
84
Some mail servers will reject the mail if the from address is invalid or does not exist at all. 'Upload' option present in the ViewDraftDetails/ViewConfigFileDetails pages are shown as 'disabled' Cause & Solution: The 'Upload' option will be shown as disabled in the following two scenarios: (1) When the viewing configuration is a current configuration (2) When the viewing configuration type upload is not supported by the device So, check if you it disabled in the above scenarios. I have chosen the group 'All Devices Group' in the graph. But the graph count shows less number of devices Cause: 'All Devices Group' lists only those devices that are not disabled. Solution: Check if the devices not shown are enabled. I encounter problems in reinitializing DeviceExpert Cause: Reinitialize script/batch file is to be invoked only when the server is not running. At times, a lock file named .lock gets created under <DeviceExpert_Home>/bin directory. This creates problems when reinitializing the server even when it is not running. Solution: Make sure you are not attempting to reinitialize while the server is running. Navigate to <DeviceExpert_Home>/bin directory and check if ".lock" file had been created. If so, remove it. We update the Troubleshooting Tips section constantly. Please refer to the troubleshooting tips section in our website for updated details.
AdventNet, Inc.
85